This can happen if you are using policy-based IPSEC and if the outgoing interface of RST packet is not included in encryption domain.
NK On Tue, Jan 17, 2012 at 11:01 AM, ashish verma <ashish.s...@gmail.com>wrote: > Yes it is "reject". > Just found out that it is only over the IPSEC tunnel. Without IPSEC tunnel > it seems to be working. > > On Tue, Jan 17, 2012 at 4:07 PM, Ben Dale <bd...@comlinx.com.au> wrote: > > > > > Ashish, > > > > On 17/01/2012, at 1:19 PM, ashish verma wrote: > > > > > In our SRX deployment I am seeing an issue where client does not > receive > > a > > > ICMP message back after getting denied by the policy. > > > > > > I can see that packet got dropped by the policy and SRX generates the > > > tcp-rst but client does not receive anything. > > > > Can you confirm that your policy action is "reject" and not "deny"? > > Otherwise the traffic will be dropped silently. > > > > Cheers, > > > > Ben > > > > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp